Hi,
Recently I had to move our OpenVPN server installation from one server to another. The whole process was a breeze and could be done in under 30 minutes!
In our case, we were migrating from RHEL 5.4 to CentOS 5.8. I'll go through the migration steps in details, but will not cover the OS and OpenVPN installation for the time being.
We're also using routed-tunnel mode, not bridged-tunnel.
So, let's get to it!
To migrate an OpenVPN installation, you basically need the following stuff migrated as is, or with a little bit of modification:
- The server.conf file; this will need some editing
- The ipp.txt file; this is needed if you need to keep the same list of certificates vs. IP addresses
- The keys/ directory; this contains all the machine keys
- The vars script that is responsible for setting the certificate/keys variables before creation time
Since the default OpenVPN installation locations for the configuration files when using YUM is /etc/, we'll use that for our discussion. Thus, the following needs to be moved from the old to the new server:
/etc/openvpn/server.conf
/etc/openvpn/ipp.txt
/etc/openvpn/easy-rsa/2.0/vars
/etc/openvpn/easy-rsa/2.0/keys/
/etc/openvpn/server.conf:
Upon moving this file, make sure to edit the local configuration line and insert the new server's listening interface's IP address.
Upon moving this file, no editing is required, as this serves as a mapping between keys/certificates and the VPN IP addresses.
/etc/openvpn/easy-rsa/2.0/vars:
Upon moving this file, no editing is required. Note however that this file is very important if you are going to create new keys over the new OpenVPN server.
It is generally a good idea to do the certificate storage and creation on a separate server with no Internet access for security reasons.
/etc/openvpn/easy-rsa/2.0/keys/:
Upon moving this directory, make sure that all files' permissions are intact and identical to those on the original server.
Now comes the second part of the migration, setting up the server for OpenVPN. It's quite simple actually, and goes on as follows:
Edit the /etc/sysctl.conf file and change the following line:
from ==> net.ipv4.ip_forward = 0
to ==> net.ipv4.ip_forward = 1
Run the following command to apply the changes:
[root@openvpn openvpn]# sysctl -p
- Allow connection to UDP port 1194:
This of course depends on the value in your /etc/openvpn/server.conf file.
[root@openvpn openvpn]# iptables -A RH-Firewall-1-INPUT -p udp --dport 1194 -j ACCEPT
- Allow/trust the tun0 interface through the firewall:
[root@openvpn openvpn]# iptables -A RH-Firewall-1-INPUT -i tun0 -j ACCEPT
- Masquerade your VPN subnet:
[root@openvpn openvpn]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
- Save your firewall configurations:
[root@openvpn openvpn]# iptables-save > /etc/sysconfig/iptables
- Start your OpenVPN server and make sure it runs at boot:
[root@openvpn openvpn]# service openvpn start
[root@openvpn openvpn]# chkconfig openvpn on
That's it. Shutdown the old installation, and make sure it doesn't accept any further connections, and ask your users to migrate to the new server.
I believe this covers all :-)
I hope this guide helps someone, please do let me know if something was incorrectly written or described.